Bad guys are exploiting the CVE-2017-0199 vulnerability to bypass endpoint security software and deliver the Remcos remote access Trojan via Microsoft PowerPoint decks.
This particular flaw in the Windows Object Linking and Embedding (OLE) interface is normally used to deliver infected RTF documents, but researchers at Trend Micro have spotted cyber criminals using it to compromise PowerPoint slide show files for the first time. Critically, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack vector means attackers can code the malware to avoid antivirus detection.
The attack begins with spear-phishing email, claiming to be from a cable manufacturing provider and mainly targets organizations in the electronics manufacturing industry.
The sender's address is spoofed to look like a message from a business partner and the email was written to look like an order request, with an attachment containing "shipping information". Here is how it looks:
However, the attachment contains a malicious PowerPoint show that when opened simply displays the text 'CVE-2017-8570', the reference of a different Microsoft Office vulnerability to the one used in this attack.
The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which starts the infection process and gets malicious code run using the PowerPoint Show animations feature, which downloads a file logo document if successful.
This downloaded logo.doc contains XML and JavaScript code, which runs PowerShell to execute a file called 'RATMAN.EXE', a Trojanised version of the Remcos remote access tool, which then connects to a command and control server.
Once up and running on a system, Remcos allows keylogging, screenlogging, webcam and microphone recorders, and the downloading and execution of additional malware. It can give the attacker almost full control over the infected machine without the owner being aware.
These are skilled bad guys, they are using NET protector, which includes several protections and obfuscations to make it more difficult for researchers to reverse engineer.
Fortunately, there's a way to completely avoid becoming a victim of this particular attack; Microsoft released patches to address the vulnerability in April and any systems updated with these is safe from this attack.
TrendMicro researchers Ronnie Giagone and Rubio Wu wrote: "Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails--even if they come from seemingly legitimate sources. Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files. There are various techniques organizations can use to defend themselves against these attacks, with education of staff playing a key role."
We could not agree more.
KnowBe4's integrated training and phishing platform allows you to send fully simulated Office phishing emails so you can see which users answer the emails and/or click on links in them or open infected attachments. If you have a Platinum subscription you can even send them "vishing" attacks straight to the phone on their desk.
See it for yourself and get a live, one-on-one demo.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:
https://info.knowbe4.com/kmsat-request-a-demo
